-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A quick test of OWA 2007 shows that it is not vulnerable...
On Sat, 15 Nov 2008 11:36:26 -0500 Micheal Cottingham <[EMAIL PROTECTED]> wrote: >I found and reported this back in 2005/2006. Microsoft told me >that it >had been reported previously and that it would be fixed in the >next >release, which I'm guessing they meant 2007. I do not know if they >have fixed it in Exchange 2007. > >On Sat, Nov 15, 2008 at 5:33 AM, Piergiorgio Venuti ><[EMAIL PROTECTED]> wrote: >> Hi all, >> also I've found this vulnerability 1 year ago during a pt and >work fine >> with url obfuscation. I've read that with owa 2007 this >vulnerability is >> patched but I don't have tried yet. >> >> Best regards, >> Piergiorgio >> >> >> Giuseppe Gottardi ha scritto: >>> Davide, let me comfort you... >>> >>> I found this vulnerability 1 year ago during a penetration test >>> activity and I never reported before for my negligence :-) >>> >>> >https://owa/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.as >p%3FURL%3Dhttp%3A%2F%2Fwww.google.it&reason=0 >>> >>> Best regards, >>> oveRet >>> >>> >>> On ven, 2008-10-17 at 21:07 +0200, Davide Del Vecchio wrote: >>> Hi, >>> >>>> I found and notified this vulnerability to Microsoft in date: >>>> >>>> Tue, 10 Apr 2007 15:40:13 +0200 >>>> >>>> You read exactly, April 2007, 1 year and 6 months ago. :( >>>> >>>> The Microsoft Security Response Center opened the case ID MSRC >7368br. >>>> >>>> The bug has never been patched since 1 year and 6 months. >>>> I asked time to time for updates but they always answered me >that the >>>> bug had to be patched with the next Service Pack and they did >not have >>>> any ETA. >>>> >>>> This SP has still to be released. >>>> >>>> They told me that if I released the vulnerability prior to the >official >>>> patch, I could not be officially credited for that. I tought >it was not >>>> a critical vuln, and so I waited. Too much (?). >>>> >>>> I am a bit sorry for Microsoft, I think they lost an other >chance since >>>> now I feel a bit tricked. I am not sure if the next time I >will wait so >>>> much and I am not sure if I will suggest to anyone to wait for >the >>>> patch. I just hope Microsoft will credit me in the official >patch. :( >>>> >>>> Below you can find the first mail I wrote to MS regarding the >issue. >>>> >>>> Best regards, >>>> >>>> Davide Del Vecchio. >>>> >>>> >>>> From: "Davide Del Vecchio" <[EMAIL PROTECTED]> >>>> To: [EMAIL PROTECTED] >>>> >>>> Subject: Microsoft Outlook Web Access "redir.asp" Redirection >Weakness >>>> Date: Tue, 10 Apr 2007 15:40:13 +0200 >>>> >>>> Hello, >>>> >>>> I found a weakness in Microsoft Outlook Web Access (OWA), >which >>>> potentially can be exploited by malicious people to conduct >phishing >>>> attacks. >>>> The weakness is caused due to a design error in the way OWA >uses an >>>> unverified user supplied argument to redirect a user after >successful >>>> authentication. >>>> This can e.g. be exploited by tricking a user into following a >link from >>>> a HTML document to the trusted login page with a malicious >"url" parameter. >>>> After successful authentication, the user will be redirected >to the >>>> untrusted (fake) site. >>>> >>>> The affected product is: >>>> Microsoft Outlook Web Access ( OWA ) >>>> Windows 2003 >>>> >>>> Examples: >>>> https://[owa- >url]/exchweb/bin/redir.asp?URL=http://www.example.com >>>> >>>> this will take the user to http://www.example.com when the >login box >>>> is pressed. >>>> >>>> https://[owa- >url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe >>>> prompts the user to download an executable or other file. >>>> >>>> The attacker can then have a page to capture the user / >password >>>> and redirect back to the original login page or some other >form of >>>> phishing attack. >>>> >>>> Note that this vulnerability is very similar to the one >affecting >>>> "owalogin.asp" described here: >>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420 >>>> >>>> Best regards, >>>> >>>> Davide Del Vecchio. >>>> >>>> Martin Suess ha scritto: >>>> >>>> ... >>>> >>>> >>>>> Timeline: >>>>> --------- >>>>> Vendor Status: MSRC tracking case closed >>>>> Vendor Notified: March 31st 2008 >>>>> Vendor Response: May 6th 2008 >>>>> Advisory Release: October 15th 2008 >>>>> Patch available: - (vulnerability not high priority) >>>>> >>>> >>> >>> >>> >> >> >> -- >> +---------------------------------------------------------------- >------+ >> | Ing. Piergiorgio Venuti, CCSP > | >> | 0x5ECFE022 - B44B C817 3793 C7C7 2734 F898 DE03 8961 >5ECF E022| >> +---------------------------------------------------------------- >------+ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkkfdtUACgkQi04xwClgpZj1/gP/VtLOffJOWpY5N8Kn7dmxWmQvUwcE bMr95/K38W+ied5X7apy2Ia+jtpgX8d5A0BcO4qga22bcRB90VDTaG0+/cTsylhq1E0M kfRLs5kJz5As+gAXv28G2sQ8plIDsGkA2eo9dERiuYpH6fvdVnEC3z0B1DnHTcN8mM+G CE+62tc= =7suT -----END PGP SIGNATURE----- -- Click for free info on getting an MBA, $200K/ year potential. http://tagline.hushmail.com/fc/PnY6qxsZwT4rGVHbB4AisvjVw0XZavmA0GT3ROwrGeggWcBAI8H5O/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/